Passive capture of usernames from RADIUS traffic

What is RADIUS?

RADIUS stands for Remote Authentication Dial In User Service. A RADIUS server can support a variety of methods to authenticate a user. When it is provided with the username and original password, given by the user, it can support PPP, PAP or CHAP, UNIX login, and other authentication mechanisms.

Typically, a user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server. The Access-Request packet contains the username, encrypted password, NAS IP address, and port.

Why the need to capture username from RADIUS traffic?

Many of our customers who provide wireless access on their networks use RADIUS to authenticate users. Active Directory is often used to authenticate wired devices or devices which can be managed and added to the Active Directory domain. However, if you allow unmanaged devices onto your network, like you would in a University, RADIUS is a better choice for user authentication.

A few years ago, we added Active Directory integration to our LANGuardian product as customers wanted to associate network activity to usernames rather than IP addresses. We implemented this by collecting user logon events from domain controllers and storing them locally on LANGuardian where they could be cross referenced by running a report.

Initially, RADIUS integration seemed to be more complicated. As you can deploy the system on different platforms, you never have a standard source of user logon events. However, a customer of ours, an Information Security Manager at a Scottish university, suggested a new way to capture usernames during an onsite meeting. He said that it may be possible to capture usernames directly from network traffic.

They had large wireless networks and wanted usernames so they could save time troubleshooting operations and security issues. Their LANGuardian instance was highlighting user and application issues, but the source was always an IP address. They then had to spend more time working out what user was responsible by manually checking logs.

We took a sample PCAP from their network and used it to build a passive RADIUS username capture module. The image below shows how usernames can be seen within RADIUS.

Passive capture of usernames from RADIUS traffic using LANGuardian

LANGuardian captures traffic from both a SPAN port and other traffic sources. It then uses deep packet inspection techniques to consolidate and correlate the data gathered by the traffic collection engine. In essence, we have a series of application decoders for popular applications like SMB, SQL, Web, and Email. Our latest release includes a decoder for RADIUS traffic.

The image below shows the basics of how our RADIUS traffic decoder works. Firstly, we receive network packets (1) from a SPAN mirror port or TAP (2). The LANGuardian content based recognition engine (CBAR) then detects the CBAR protocol (3) and sends the data to the RADIUS traffic decoder. This decoder extracts relevant metatdata (4) like username, IP address and time/date of logon.

Once you capture usernames with LANGuardian, you can use this data with any LANGuardian report. The first example below shows how you can monitor network traffic to find out who is doing what on the Internet. Click on the image to view the report on our online demo.

In the next example, we show how you can generate an audit trail of file and folder activity (SMB and NFS) with usernames. This can also be used to root out security issues such as SMBv1 use on a network. Click on the image to view the report on our online demo.

If you have any questions about how to analyse RADIUS traffic on your network and extract usernames, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.